“From the insurance side of the house, they made some mistakes”
The attacks that make cyber insurance an absolute necessity for you and your clients keep ratcheting up—and so do the costs. Is there any end in sight? Hear from cybersecurity expert Wes Spencer and insurance professional Chris Wilkerson on:
- How cyber attacks in 2019 shaped the cyber insurance market we know today—and why you should care
- How to turn increasingly stringent insurance requirements to your MSP’s advantage
- The critical insurance component that every MSP needs
- Where trends are pointing for cyber premiums in the next two to three years
- Why making an insurance claim should be an absolutely last ring of defense for your business
Who’s on this episode
Host: Jennifer Tribe
Guest: Wes Spencer, Vice President and Channel Chief, FifthWall Solutions
Wes Spencer is an award-winning cybersecurity influencer and co-founder of multiple cybersecurity companies including Perch Security. He’s now VP and Channel Chief for FifthWall Solutions, the nation’s largest insurance broker focusing exclusively on cybersecurity insurance. Wes is the co-host of the CyberCall with over 5,000 weekly MSP listeners. You’ll also find him on YouTube where his dictator headquarters are, and he talks a bit about technology, cybersecurity, and cryptocurrency. Outside of the office, Wes fancies a tasty bourbon and some crispy hot chicken.
Guest: Chris Wilkerson, VP of Risk and Head of Insurance, Blackpoint Cyber
Chris Wilkerson leads product development and distribution of Blackpoint Cyber’s structured cyber and professional liability insurance platform powered by Blackpoint MDR. Prior to Blackpoint, Chris managed cyber and financial risk for a large national broker, where he was involved in response and settlement of multiple seven-figure ransomware claims. Chris holds a B.S. in Math and Economics from Vanderbilt.
Jennifer: I’m Jennifer Tribe and this is Workflow, the new podcast about growing a happier, healthier MSP.
What does that mean—a happier, healthier MSP?
It means we’re going to be exploring how you, as a managed service provider, can build the thriving business and income you want without working yourself into the ground to do it. It’s about how to bring balance and efficiency and enjoyment to all aspects of your MSP, from finance and operations to team management and client care.
It’s about finding your flow.
Join me every other Friday for a new episode of Workflow for MSPs, wherever you get your podcasts.
Let’s kick things off with a doozy shall we? Does the topic of cyber insurance make you break into a cold sweat?
Premiums are going through the roof. Insurance companies are making it harder and harder to qualify. There is ever more paperwork, more requirements. And the attacks that make cyber insurance an absolute necessity for your MSP and your clients keep ratcheting up.
It’s enough to make any business owner want to tear their hair out.
Today on Workflow, we’re going to talk about cyber insurance with Wes Spencer from FifthWall and Chris Wilkerson from Blackpoint Cyber.
How did we get to this place of skyrocketing premiums and is there any end in sight? I’ll tell you something, if there is any blame to be placed here, it’s not on you, the insurance companies made some big mistakes here.
This is important stuff to know so you can understand where the cyber insurance market is headed, what to expect in the next couple of years, and maybe most importantly how you can get a handle on those cyber insurance premiums in your technology business.
Wes Spencer is Vice President and Channel Chief for FifthWall Solutions, a US-based insurance broker that focuses exclusively on cyber insurance. Wes was previously the co-founder of Perch Security, which he successfully sold in 2020 to ConnectWise. And you might know him from his weekly CyberCall or his popular YouTube channel on cybersecurity and cryptocurrency.
“The worst thing you can have is more and more policies being written but they’re not coming down in risk.”
Wes: Just a quick caveat for myself. In the insurance space, we always have to be real careful to say things like, I’m not giving you specific insurance advice today on this podcast. I’m just speaking in generics because every client and every MSP, it’s different, right? So you need to speak to a qualified insurance agent that knows what they’re talking about.
Jennifer: That goes for me too by the way. I’m a podcast host, not an insurance agent or lawyer.
Wes: From the insurance side of the house, they made some mistakes. We can just kind of lead in with that. I joke and I sort of say in those days of bliss, you know, 2018, 19, it was like Oprah—all the carriers are like, you get insurance, you get insurance, you get insurance because they thought it was like stealing candy from a baby. They thought what kind of downmarket client could ever be hit by this cybercrime? This is the stuff for Bank of America to worry about, right? Not for small companies.
But you see over 2019 and 2020, a huge escalation and COVID was one of the things that really pushed this up into the stratosphere because everybody’s working from home and we remember this story, right? The story of, wait a second, I’m not sure that all of these companies have done the right thing in protecting their business. They’ve just left RDP wide open to connect in. And then you see these ransomware attacks.
We see a volume in attacks going up and the cost of those attacks going up. The commensurate response for insurance is, well maybe this wasn’t as cheap to offer as we thought. And so maybe an alternative way to think about this is it’s not so much that premiums are getting more expensive. It’s that they’re becoming more commensurate to the level of risk that’s presented in the SMB sector, if that makes sense.
We went from about $1.5 billion in premiums being written in 2020 up to 2021, we’ve doubled that. We’re at now over $3 billion. So the amount of insurance that are being written is doubled. In other words, the volume has gone up. But the other bad thing is loss ratios have blown up along side. And so the worst thing you can have in insurance is more and more policies being written, but they’re not coming down in risk.
Loss ratio is like how much are we paying out versus how much we’re offering. And to give you a good rule of thumb, let’s take the auto industry. Ten percent is considered a fairly good loss ratio. In other words, 90% of what we write, we’re not going to pay out a claim on. Keep in mind, insurance is in this for profit, just like the rest of us, and it’s very expensive to offer insurance. It’s not like, oh they got 90% margins. No, there’s a lot of things that go into that.
Well, guess what cyber is right now. It’s staggering. It’s at about 62% the last time it was measured, which is unbelievably high. And it was higher than that, it was over 70 like 5% almost in about 2020 at the peak of these attacks. So it’s come down a little bit, but it is still astronomically high. And so as long as we have a lot of insurance premiums being written for clients and we have loss ratios that are really high, it’s out of your hands. It’s always going to become more expensive, more expensive, more expensive.
“You have to go back to the ‘80s for the last time we saw anything like this”
Jennifer: Chris Wilkerson is the VP of Risk and head of insurance at Blackpoint Cyber. Where Wes comes to insurance from a cybersecurity background, Chris comes to cybersecurity from an insurance background. He’s been working in the insurance market for decades, including a six-year stretch with one of the top 10 biggest insurance brokers in the country. He points out that carriers were giving insurance to everyone because it was a brand new market and they wanted as much of it as possible.
Chris: Cyber insurance, I think to its ultimate detriment, went to market with kind of a finger in the wind approach on pricing. We as a business didn’t have a ton of relevant analytics on how to price it because we just hadn’t seen a lot of losses. There were some, but not at a level that really facilitated sophisticated actuarial analysis. Because of that it kind of became a race to aggregate top line premium.
So you had carriers pushing to gain market share because we were all looking at cyber insurance as a driver of top line growth in insurance for the foreseeable future. Insurance is a really old business, been around for 300 plus years. There aren’t a lot of blue ocean strategies that come along in that business. Not a lot of ways of growing the top line in an innovative environment. Cyber was one. So because of that, it became a bit of a free-for-all to aggregate premium. And the approach from most of the market seemed to be, given that we don’t have a ton of sophistication around analytics, we’re going to try to aggregate business and hope for the best.
Jennifer: Hoping for the best didn’t turn out so well though.
Chris: We were in a soft market for 15 years really, and that didn’t start to change until about 2019. And when it started to change, it changed dramatically and very quickly. So we in 2020 entered into what was and really still is the hardest market for any line of insurance in 30 plus years. So never mind cyber specifically, for any line of coverage in the insurance world. You have to go back to the ‘80s for the last time that we saw anything like this.
Premiums are up in the aggregate, around 60% year over year. In some cases, it’s much more extreme than that. All of this being driven by the fact that insured ransomware has increased 500% in the last 24 months. Some carriers exited completely. Others dramatically changed their approach with a much more specific niche and underwriting strategy. Others instituted dramatic sub limits. And this is one that we found particularly impactful and that we started to see carriers that were sublimiting coverage for ransomware and any loss that might arise out of ransomware.
Jennifer: Note what Chris is saying here. As the cyber insurance market blew up with claims, a bunch of things happened. Some insurance carriers just said I’m out. They left the market. That means a smaller supply of insurance. Some changed their underwriting strategy—meaning they implemented tougher qualifications. And some added significant limits, meaning it can be harder to get the amount of coverage you might realistically need.
“Tech E&O has become really expensive”
Jennifer: Let’s take a brief detour with Wes to talk about the kind of insurance coverage you need as an MSP, because it will highlight another contributing factor to both costs increases and difficulties in qualifying.
Wes: A comprehensive cyber insurance policy is typically aimed for clients, right?
It’s going to include a lot of different things inside of the policy. It’s not just we would pay a ransom if something were to happen. It includes things like the cost for social engineering attacks, credit monitoring, digital forensics, data restoration, legal costs, a bunch of things like even privacy regulation kinds of things, and damages from like lost business. But when we talk about MSPs, there’s another thing that you really want, and this is called tech E&O. This is like tech errors and omissions. And if you’re an MSP listening today and you think, I know we don’t have tech E&O or you think, you know what? I don’t know if we have it. One of your big takeaways is after this podcast, go find out. Because tech E&O is a critical component that all MSPs need.
And the reason for this is it covers the liability from the MSP themselves that may go downward to their clients. Let me give you an example of this. Jennifer, you and I did a podcast a couple of years ago and we talked about how threat actors are leveraging MSPs to attack other clients. You’re the gateway because the RMM is all valuable. If a bad guy can get access to the RMM, they’re going to deploy ransomware everywhere. Well, let’s play that out. Let’s say an MSP has had an attack. One of the techs opened an email, something like that, and a threat actor got a foothold on the device and they finally got access to the RMM, they deployed ransomware everywhere.
From an insurance perspective, a cyber policy that you have on your own will not cover the damages done to your clients. And the reason for that is because from an insurance perspective, the client’s going to look at this and say, wait a second, we did nothing wrong. In fact, nobody did anything wrong in terms of some kind of nasty threat that happened at the end user level. It was the RMM legitimately… which is tough to say, “legitimately” deploying ransomware. And so this is an error and omission on the part of the MSP. And so tech E&O covers those kinds of things where it’s not a failure of antivirus on the end user. It’s the failure of the MSP that led to the breach for the client.
The problem with tech E&O as we know, Jennifer, it’s like it’s become really difficult to get. There’s probably only six or seven carriers that are even willing to offer tech E&O to MSPs at this point in time. So it’s not impossible to find, but the amount of carriers offering it have really slimmed down. And the cost to get that tech E&O has become really expensive.
“They’re all like, we’re hard out.”
Jennifer: Did you hear that? The number of insurance carriers willing to offer tech E&O, at least in the US, is down to about half a dozen. That’s a small pool. And if you’ve already had to make a claim?
Wes: There’s a black eye that exists on your company once you get hit and you have to make a claim, like a fully paid out claim. It becomes harder and more expensive in the future to get another policy. The worst thing that can happen is you have to file a claim and have a huge payout because it makes life difficult in the aftermath of that as well.
I talked to an MSP recently who has an open claim. And unfortunately, the way the story was told to me, this open claim is really unfortunate because it’s not necessarily the MSP’s fault, but at this point they sort of have that black aura around them, that like stigma where the carriers are like, wait a second. Because you have to tell carriers if you have an open claim, if you’re trying to get a new policy. And this MSP came to us and they said, What am I supposed to do? I’m coming to all of these different carriers and applying. They’re all like, We’re hard out. You’ve got this stigma over you because you have this open claim. We’re not going to mess with you. We’re not going to touch it. So that’s a rare case. But it is coming. And this makes it really, really, really, really difficult for MSPs.
If you’re a business owner listening to this today, your number one thought when it comes to insurance and cyber breaches is you should be telling your teams, this could shut our doors. We might have the ability to have this thing pay out the first time. But what are we going to do if we have this exposure and we have trouble finding a good policy or any carrier at all that will take the risk with us in the future? And then it happens a second time. I don’t know how we survive. So I’ve never seen that happen yet. And I don’t want to be the fearmonger. But I do think it’s a realistic fear that all MSPs should be thinking about and prepared for in operating on the assumption that that could happen and thereby doing the right things in place to to reduce that chance from ever occurring.
“This is a very cyclical business that we’re in”
Jennifer: Now that we have a clear understanding of why the cyber insurance market is acting the way it does, where do we go from here? Will things ever stabilize or is cyber insurance just going to get harder and more expensive to get every year? Wes
Wes: I still think the next year we’re going to see premium rates go even higher. But I think what will happen is as the carriers are pushing more maturity into clients and forcing them to do more, that reduction in loss ratio that we’ve seen recently just start to finally come down for the first time in like three years, I think it’s going to come down and come down and come down and come down. And if it comes down to a much lower level, let’s say 35 to 40%, we might see a stabilization in the cost of insurance.
Jennifer: Chris also sees positive signs in the market.
Chris: It’s interesting how an insurance marketplace evolves and you can usually see indicators of the path that we’re going to proceed down. And we’ve started to see that and where we’ve seen signs of eventual stabilization in cyber insurance is in excess insurance pricing. So for larger companies that require programs that can’t be ring fenced with a single policy, you have layers of coverage.
You might have a primary insurer that provides 3 million in coverage and an excess insurer that provides another 3 million on top of that. In almost all cases, pricing for the primary programs at renewal are still going up. But we’ve seen mitigation in the excess. Particularly in larger programs, we’ve seen much more competition on those excess layers among insurers than we’ve seen in two or three years. And in some cases, we’ve seen either stability or even reduction in some of those excess policy premiums. That to me is an indicator of the direction of the market.
So whereas the last two plus years, we’ve seen 60 to 100% increases in premium, primary, excess, everything, that excess pricing dynamic shows me that we’re trending toward some level of normalization.
This is a very cyclical business that we’re in in insurance and the market now that’s the hardest in 30 years will at some point soften. So we’ll go through that period of more sustained balance. And I think that probably lasts for a good while. Once we normalize, we probably have a couple of years of stability. At some point we’ll see pricing trend down. I’m confident in that.
“There’s a lot of knee jerk and reactivity in the carrier marketplace”
Jennifer: Wes and Chris seem to agree that the cyber insurance market will stabilize…eventually. But we’re probably in for a rough couple of years before that happens. So in the meantime, what can you do as an MSP to get a handle on cyber insurance, especially those crazy premiums. Wes says, much like you’d get multiple quotes on any contract, you want to shop around.
Wes: The reason you want such breadth of access is the carriers don’t all operate in lockstep. So an example of this, let’s say you’re a CPA today and you have Carrier A and Carrier A had a bunch of CPA breaches over the past year or similar industry. And so they say, you know what, your industry is really high risk. We’ve seen a lot of attacks so the cost for you to get reinsured with us even though you didn’t have any open claims at all, is now four times expensive because we’ve got to make margins here. You’re just an expensive industry. But we go talk to Carrier B down the street and Carrier B is like what are you talking about? We’ve seen barely any CPAs. They’re way cheaper. Way cheaper.
And this happens all the time. I see oftentimes you go shop the market and you have breadth of access, you’re going to save a thousand. I’ve seen as high as — and this is a big expensive policy — I’ve seen as high as $15,000 in a cheaper policy. Like policies, same coverages, same exclusions, same everything. It’s just because the carriers don’t really share that information with one another. And so there’s a lot of knee jerk and reactivity in the carrier marketplace. And so, yeah, you’ve really got to go shop.
“That’s the mousetrap that we’ve built”
Jennifer: Chris works at Blackpoint Cyber, which for most of its history has been a security technology company. These days, Blackpoint also offers a cyber insurance package that comes bundled with the company’s security tech. Chris thinks integrating technology into insurance, or insurance into technology in this way is a key to lowering premiums and something we’ll see a lot more of in the future.
Chris: What do we need to do as an MSP to bring insurance into the ecosystem and make sure that it’s communicating with everything else that we’re doing. We, the MSP, are spending a ton of energy and capital to really provide a best in class security and tech suite to our clients. Let’s make sure the insurance knows that. Bring it into that conversation. And if there are ways to specifically integrate insurance with those components of the security ecosystem, then let’s do it. Because that substantively affects our ability to achieve favorable results in the market.
We’ve got about a $35 million book of business, annual cyber insurance premium. The last 24 months of data suggest to us that that book should be producing about $25 million a year in losses, and we’re at zero over the last two and a half years. Knock on wood, we haven’t had to make those calls to insurance companies. So what it’s allowed us to do is to take that portfolio to the market and say, hey, this is best in class. How can we realize the impact of that technology across this portfolio? So everything that we do on the insurance side is predicated upon the core tech. That’s the mechanism that allows us to unlock that value in the market.
Jennifer: So basically you’ve got a group of companies. You’re saying, look, all of these companies in this portfolio use our security technology. We can guarantee that. And because they’re using our security technology, we can show you that in the last couple of years, there have been zero claims. And so we’re going to offer you this really juicy portfolio, low risk, and you’re going to give us lower premiums. That’s basically it?
Chris: Yet that’s it. And that’s well said. We’ve collectively as buyers put ourselves in a position to approach the market with what is to the insurer a profitable portfolio. In doing so, we want to recognize some of that value back and that’s the mousetrap that we’ve built to get there.
We as SaaS security providers and MSPs are collectively working to provide our end users with suites of software and services and technology that support their hardiness and support their approach to risk. Certainly, insurance is dependent on all that, right? Everything that we do in that environment and that ecosystem is going to impact the ultimate posture of insurance and what’s paid out and what’s not. Insurance has never really been considered as part of that ecosystem. And I think that that’s the disconnect that we have to find a way to fix. I think insurance needs to be really brought back into that environment, back into that ecosystem and considered parallel to the other suites and services and softwares that are germane to hardiness.
“You’ve got a new sword in your hand, which is big, bad insurance”
Jennifer: Wes also points out that improving your security posture is a way to help bring premiums down for everyone in the industry. The fewer claims there are, the sooner the insurance companies can get their loss ratios down to sustainable levels. And oh, by the way, that gives you an amazing sales lever.
Wes: I hope you hear the silver lining in this. The silver lining is what you should be hearing loud and clear from me is you have opportunity to deliver more security controls and a better security stack than ever before because insurance gets to be the bad guy that comes in and says, if you want coverage, you got to do these more things than you ever had to do before. You may not have wanted to do them. You may not have thought you had to do them. But if you want insurance coverage, you have to. Period. End of story. Don’t blame me. I’m just the messenger. The insurance, those are the folks that are requiring it. So I think there’s opportunity in that.
When you kind of take all the carriers together and you boil all of the requirements down, there are five major things that all clients need to have as far as controls. It’s managed EDR. It’s what we call segregated and immutable backups. It’s MFA everywhere. For every single client. It’s vulnerability management, scanning and making sure we’re updating that kind of stuff. And then cybersecurity awareness training and phish testing, those are the five controls.
And you have to be involved in this as an MSP, no questions asked because you’ve got to be able to deliver those things. And again, you should hear silver lining, not threat, in all this. You should be like, wait a second, did Wes just say that insurance requires those five things? I sure did. Did Wes just say that to be eligible for cyber insurance, the client has to have all five of those things? I sure did. And at every conference I go to, I’m like, How many of you have all five of these controls solved for? And every hand goes up. Yep, we got them, we can sell them. And I’m like, How many are selling 100% of these controls to 100% of your clients? And so far to date, Jennifer, not a single MSP has raised their hand.
And I don’t blame you. I’m not saying you’re doing anything wrong, but I’m just saying a new advocate has entered the chat. You’ve got a new sword in your hand, which is big, bad insurance to force that standardization. As an MSP, even though you can’t make money by selling insurance unless you’re a licensed agent. Oh my goodness, you can make so much money by having your clients do the right thing because insurance requires it to be less risky and you make a whole bunch more money by standardizing your control set.
You’ve got to get involved in that process because the risk is too high for you as an MSP in terms of like you’re missing something, there’s something egregious, whatever, and there’s too much opportunity for you to not do it in terms of cross-selling into your stack. So that’s the big takeaway.
Jennifer: That was Wes Spencer, Vice President and Channel Chief for FifthWall Solutions. You’ve also been listening to Chris Wilkerson, VP of Risk and head of insurance at Blackpoint Cyber.
What did you think of today’s episode? Let us know with a review for Workflow on Apple Podcasts or send me an email at email@example.com. If you do leave a review, take a screenshot of it so I know it’s you and email it to me. I’ll send you your choice of a free Workflow or Syncro t-shirt.
And don’t forget to tell your friends about us. Until next time, this is Jennifer Tribe. Thanks for listening.
Listen, rate & subscribe
🔊 Listen on: Apple Podcasts | Spotify | Google Podcasts | Your podcast player of choice
➕ Follow and subscribe to get new episodes as they publish.
🤔 Tell us what you think with a review on your podcast platform. Send a screenshot of your review to firstname.lastname@example.org and we’ll send you a Workflow for MSPs t-shirt.
Resources from this episode
- Fight Back: What You Can Do About MSP-Targeted Ransomware (Frankly MSP EpP051)
- Wes Spencer (on LinkedIn)
- Wes Spencer (on YouTube)
- The CyberCall
- FifthWall Solutions
- Chris Wilkerson (on LinkedIn)
- Blackpoint Cyber
- Blackpoint RISK
It’s time to find your flow
Workflow for MSPs is brought to you by Syncro, the integrated platform for running a profitable MSP. Enjoy PSA, RMM, and remote access in one affordable package. Start your free trial today.